Cryptosmith

Recently I was skimming through the NSA’s “classified history of COMSEC” (posted at governmentattic.com).  This “history” is a transcription of lectures by David G. Boak, who liked to explain NSA-related topics from a historical perspective. He clearly inspired a generation of NSA’s employees. The last “real” page of the document contains a humorous story and a crypto puzzle (link to pdf).

The NSA had an incinerator in their old Arlington Hall facility that was designed to reduce top secret crypto materials and such to ash. Someone discovered that it wasn’t in fact working. Contract disposal trucks had been disposing of this not-quite-sanitized rubish, and officers tracked down a huge pile in a field in Ft. Meyer.

How did they dispose of it? The answer is encrypted in the story’s text!

Continue Reading »

Posted under History of Technology & Security & Tech Teaching | 7 Comments »

I’m always amazed at how long a piece of apparently obsolete equipment can remain in service, especially in government service. Bruce Schneier’s blog listed a link to NSA’s 1991 video catalog at governmentattic.org. The catalog grants us an interesting if spotty view into the world of crypto gear and classified data collection systems.

I was particularly astonished to see inclusion of a video about the Pluribus – a long-obsolete Arpanet-era packet switch. I worked on the beast: it was overbuilt and underpowered. And unreliable (more on that another time). In the ideal world of tech, such obsolete junk should have been recycled by 1991. I was optimistic.

Continue Reading »

Posted under History of Technology & Security | No Comments »

Ivan Lucas of “Lockdown.co.uk” has posted an interesting summary of Password Recovery Speeds. These are scaled on the assumption that the attacker will do trial-and-error attempts of all possible permutations. I think it would be interesting to include a scale that considers ‘likely’ password selections.

I’ve been reviewing postings from the past few months that look at password selection, including a password list stolen from phpbb, a built-in list used for cracking by the Conficker worm, and a list of the “500 most common passwords from a book called Perfect Passwords. Bruce Schneier also did a thing on MySpace passwords back in 2006. Dan Klein did the classic assessment of password selection and cracking ‘way back in 1990 and it seems like peoples’ choices haven’t changed a lot since then.

Aside from speedup due to Moore’s Law, I don’t think password security has changed much since 1990.

Posted under Security | No Comments »

The election may have been last year, but the race for Minnesota’s US Senate seat drags on. Back in January, Minneapolis techie and consultant Adria Richards went to visit the web site belonging to former Sen. Norm Coleman’s campaign – he’s shy about 200 votes and hanging on through court challenges.

What Richards found was a mess. Especially bad: the site did not prevent browsers from listing site directories – a huge security snafu. Richards navigated through the directories and found one with the intriguing title “db” – suggesting database. Sure enough, the directory contained a database that apparently lists Coleman’s political donors.

Richards documented her visit via photos and screen captures and has posted a tour of Coleman’s web site on her blog.

Continue Reading »

Posted under Security | No Comments »